Another one, this time the original mail [1] related
to thinking about FTP related vulnerabilities. For
an example of one such see [2].
I would imagine that there'd be similar issues with
imap: and other URI schemes (e.g. the sms: scheme
that's wending its way through the IETF [3] ;-).
Looking at wsc-xit it doesn't seem to say much at all
about de-referencing URIs other than HTTP URIs.
I would guess at minimum we might include a section
with whatever guidance we manage to gather about
other URI schemes (i.e. other than http:).
There may also be something to say about mixed
content here, e.g. if a bad guy could use some other
scheme to get from A to B (via ftp://foo) without
the user seeing the right security indicators.
Yet again, I don't have text to offer;-)
S.
[1] http://www.w3.org/2006/WSC/track/issues/4
[2] http://www.securityfocus.com/bid/23089/info
[3] http://www.ietf.org/internet-drafts/draft-wilde-sms-uri-13.txt
Mary Ellen Zurko wrote:
>
> If you don't manage the due date of the action item so that it's not
> overdue, it will be close due to inactivity.
>
> Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
>
> From: Mary Ellen Zurko/Westford/IBM
> To: stephen.farrell@cs.tcd.ie
> Date: 11/16/2007 08:33 AM
> Subject: ACTION-333 OPEN Elaborate on ISSUE-4 Stephen Farrell 2007-11-13
>
>
> ------------------------------------------------------------------------
>
>
> Please complete this action item asap. If you won't be able to in the
> next couple of days, please update it with a date that you will actually
> make.
>
> _ACTION-333_ <http://www.w3.org/2006/WSC/track/actions/333> OPEN
> _Elaborate on ISSUE-4_ <http://www.w3.org/2006/WSC/track/actions/333>
> Stephen Farrell 2007-11-13
>
>
>
>
> Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
>